Sandboxing with systemd-run
So this applies to all coding agents, but I’m just exercising it with aider here. TBH I even trust aider pretty much and have more concerns with other beasts like Codename Goose, Claude Code, PI and others … … so in order to constrain those tools I first went with Docker … which felt like a natural choice. Especially since I’m pretty fluent with it … which I unfortunately still cannot say is true regarding systemd....